Survey of IDS in MANET against Black Hole Attack

advertisement
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 5, May 2013
ISSN 2319 - 4847
Survey of IDS in MANET against Black Hole
Attack
1
Sarita Badiwal, 2 VandnaVerma
1
B.E, Computer Science and Engineering,
2
Asst. Professor (CSE Dept.),
1&2
Rajasthan College of Engineering for Women, Jaipur Rajastha
ABSTRACT
MANET is a network of mobile nodes without any infrastructure. Due to its dynamic in nature MANET are at more
risk to attacks. There are several attacks in MANET. Black Hole attack is one of the attacks that advertise it for having
the shortest path to destination node and drops the entire packet that is coming from source node. In this paper, we
have reviewed different IDS based solutions against Black hole attacks in Mobile Ad-Hoc networks and thoroughly
compare these schemes to find out their various advantages and disadvantages.
KEYWORD: AODV, Black hole attack, IDS, MANET.
1. INTRODUCTION:
MANET is self configuring and distributed network. In Mobile Ad-Hoc Network nodes communicate with each on the
basis of mutual trust. MANET is widely used in military purpose, disaster relief, personal area network and so on. Each
node communicates with the other acting as routers. MANET are more vulnerable to malicious attack because of its
features like open medium, changing its topology dynamically, lack of central monitoring and management,
cooperative algorithms and so on. These attacks are snooping attacks, wormhole attacks, black hole attacks, routing
table overflow and poisoning attacks, packet replication, denial of service attacks(DoS), distributed DoS (DDoS)attacks
etc. in this paper we define black hole attacks in AODV routing protocol in mobile Ad-Hoc network . We use AODV
protocol because it is widely used and vulnerable to these attacks. Security in Mobile Ad-hoc Network is the most
important for the network. Therefore, efficient intrusion detection must be deployed to facilitate the identification and
isolation of attacks. In this paper we have surveyed various intrusion detection techniques in MANET against Black
hole attack. According to how the information is acquired, the routing protocols can be classified into proactive,
reactive and hybrid routing.
1.1 Proactive (table-driven) Routing Protocol
The proactive routing is also known as table-driven routing protocol. In this routing protocol, mobile nodes periodically
broadcast their routing information to the neighbour’s nodes. Each node needs to maintain their routing table of not
only adjacent nodes and reachable nodes but also the number of hops. Therefore, the disadvantage is the rise of
overhead due to increase in network size, a significant big communication overhead within a larger network topology.
However, the major advantage is of knowing the network status immediately if any malicious attacker joins. The most
familiar types of the proactive routing protocol are: - Destination sequenced distance vector (DSDV) routing protocol
[1] and Optimized link state routing (OLSR) protocol [2].
1.2. Reactive (on-demand) Routing Protocol
The reactive routing protocol is equipped with another appellation named on-demand routing protocol. In compare to
the proactive routing, the reactive routing is simply starts when nodes desire to transmit data packets. The major
advantage is the reduction of the wasted bandwidth induced from the cyclically broadcast. The disadvantage of reactive
routing protocol method is loss of some packet. Here we briefly describe two prevalent on-demand routing protocols
which are: - Ad hoc on-demand distance vector (AODV) [3] and Dynamic source routing (DSR) [4] protocol.
1.3. Hybrid Routing Protocol
The hybrid routing protocol as the name suggests have the combine advantages of proactive routing and reactive
routing to overcome the defects generated from both the protocol when used separately. Design of hybrid routing
protocols are mostly as hierarchical or layered network framework. In this system initially, proactive routing is
employed to collect unfamiliar routing information, and then at later stage reactive routing is used to maintain the
routing information when network topology changes. The familiar hybrid routing protocols are: - Zone routing protocol
(ZRP) [5] and Temporally-ordered routing algorithm (TORA) [6].
Volume 2, Issue 5, May 2013
Page 401
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 5, May 2013
ISSN 2319 - 4847
2. OVERVIEW ON AODV:
AODV has combined properties of both DSR and DSDV. It uses route discovery process for maintaining route
information thru routing table’s basis. It is a reactive protocol as it doesn’t need to maintain routes to nodes that are not
communicating. AODV handles route discovery process with Route Request (RREQ) messages to broadcast to
neighbour nodes. The message floods through the network until the desired destination is reached. Sequence numbers
are used to guarantee loop freedom. RREQ message bypass node to allocate route table entries for reverse route. The
destination node unicasts a Route Reply (RREP) back to the source node. Node transmitting a RREP message creates
routing table entries for forward route. Figure: 2 shows, AODV routing protocol
RREQ
RREP
Figure 1: Route discovery process
With RREQ and RREP message [7]. For route maintenance nodes periodically send HELLO messages to neighbour
nodes. If a node fails to receive three consecutive HELLO messages from a neighbour, it concludes that link to that
specific node is down. A node that detects a broken link sends a Route Error (RERR) message to any upstream node.
When a node receives a RERR message it will indicate a new source discovery process. Fig. 2 shows AODV routing
protocol with RERR message [7].
S
A
B
D
Route
RERR
Figure 2: AODV routing protocol with RERR massage.
3. BLACK HOLE ATTACK:
There are two types of attack:3.1 Single Black hole attack: In this type of attack, one malicious node uses routing protocol to claim itself of being
shortest path to destination node but drops routing packets and doesn’t forward packets to its neighbours.
3.2 Cooperative Black hole attack: Black hole is a malicious node that incorrectly replies the route requests that it
has a fresh route to destination and then it drops all receiving packets. A chance of serious damage arises if malicious
nodes work together as a group. This is called cooperative black hole attack.
In Black hole attack a malicious node may advertise a fresh path to a destination during routing process. The intention
of the node may be to disturb the path finding process or interpret the packet being sent to destination. For example, in
AODV, the attacker can send a fake RREP (including a fake destination sequence number that is fabricated to be equal
or higher than the one contained in the RREQ) to the source node, claiming that it has a sufficiently fresh route to the
destination node. This causes the source node to select the route that passes through the attacker. Therefore, all traffic
will be routed through the attacker, and therefore, the attacker can misuse or discard the traffic. The method how
malicious node fits in the data routes varies. Fig. 1 [18] shows how black hole problem arises, here node “A” want to
send data packets to node “D” and initiate the route discovery process. So if node “C” is a malicious node then it will
claim that it has active route to the specified destination as soon as it receives RREQ packets. It will then send the
response to node “A” before any other node. In this way node “A” will think that this is the active route and thus active
route discovery is complete. Node “A” will ignore all other replies and will start seeding data packets to node “C”. In
this way all the data packet will be lost consumed or lost.
Volume 2, Issue 5, May 2013
Page 402
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 5, May 2013
ISSN 2319 - 4847
Fig. 1 Black hole attack
4. INTRUSION DETECTION SYSTEM:
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing
them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies,
acceptable use policies, or standard security practices [8].
Intrusion Detection System can be classified as: Network based IDS which runs on a gateway of a network and obtained
audit data from traffic that flows through it, and then are analyzed the data collected and Host based IDS which
acquires this data through hope rating system’s log files that run on the node. Depending on the detection techniques
used, IDS can be classified into three main categories:
4.1. Signature-based (Misuse detection model): It compares known threat signatures to observed events for
identifying intrusion. This is a very effective model for detecting known threats but is mainly ineffective at detecting
unknown threats and many variants on known threats. Signature-based detection cannot track and understand the state
of complex communications, so it cannot detect most attacks that comprise multiple events.
4.2. Anomaly-based detection: It compares definitions of what activity is considered as normal against observed
events to identify significant deviations (anomalous behaviour). This is done by monitoring the characteristics of typical
activity over a period of time thru profiles maintained. The IDPS then compares the characteristics of current activity to
thresholds related to the profile. Anomaly-based detection methods is of high use at detecting previously unknown
threats but may generate many false positives as a slight deviation in user activity may cause an alarm.
4.3. Specification-based detection: It defines a set of constraints that explains the correct operation of a program or
protocol. It checks the execution of the program with respect to defined constraints. This technique provides a
capability of detecting previously unknown attacks with low false positive rate.
5. RELATED WORK
DPRAODV (A Dynamic Learning System Against Black hole Attack in AODV Based MANET)[9]: In this scheme, if
RREP sequence no. is greater than threshold, sender is regarded as an attacker and updated to black list. ALARM is
sent to its neighbours who includes black list to block malicious node. On the other hand, dynamic threshold value is
changed by calculating average of destination sequence number between sequence number and RREP packet in each
time slot. In this, black hole is not only detected but also prevented by updating threshold which responses the realistic
network environment.
In [10] and [11], the author’s have introduced the route confirmation request (CREQ) and route confirmation reply
(CREP) to avoid the black hole attack. In this approach, the intermediate node not only sends RREPs to the source node
but also sends CREQs to its next-hop node toward the destination node. After receiving a CREQ, the next-hop node
looks up its cache for a route to the destination. If it has the route, it sends the CREP to the source node. Upon
receiving the CREP, the source node can confirm the validity of the path by comparing the path in RREP and the one
in CREP. If both are matched, the source node judges that the route is correct. One drawback of this approach is that it
cannot avoid the black hole attack in which two consecutive nodes work in collusion, that is, when the next-hop node is
a colluding attacker sending CREPs that support the incorrect path.
In [13], authors Satoshi Kurosawa et.al. have introduced an anomaly detection scheme to detect black hole attack using
dynamic training method in which the training data is updated at regular time intervals to express the state of the
network. In this scheme, the average of the difference between the Dst_Seq in RREQ packet and the one held in the list
are calculated and this operation is executed for every received RREP packet. The average of this difference is finally
calculated for each timeslot and it taken as the feature. Hence, it consumes considerable amount time to do calculations
for every RREP packet.
In [14] Authors Ming-Yang Su et.al discussed a mechanism known as ABM (Anti-Black hole Mechanism), which is
mainly used to estimate the suspicious value of a node according to the amount of abnormal difference between RREQs
and RREPs transmitted from the node. When a suspicious value exceeds the limit, the nearby IDS broadcasted a block
message with id of IDS, the identified black hole node and the time of identification will place the malicious nodes on
their blacklists to isolate the malicious node in the network cooperatively. The advantage of this method is that it can be
Volume 2, Issue 5, May 2013
Page 403
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 5, May 2013
ISSN 2319 - 4847
able to detect cooperative black hole nodes in the MANETs. The main drawback of this technique is that mobile nodes
have to maintain an extra database for training data and its updating, in addition to the maintenance of their routing
table.
In [15] this scheme trust based communication in MANET using AOMDV-IDS against the black hole attack.
AOMDV-IDS perform real time detection of attacks using AOMDV routing protocol. In AOMDV, RREQ transmission
from the source to the target establishes multiple reverse paths both at intermediary nodes in addition to the destination.
Multiple RREPs navigates this reverse route back to from multiple onward routes to the target at the source and
intermediary nodes. Multiple routes revealed are loop-free and disjoint. AOMDV depends on the routing information
previously available in the AODV protocol, thus preventing the overhead acquired in determining multiple paths.
In [16] authors Alem, Y.F et.al. proposed a solution based on Intrusion Detection using Anomaly Detection (IDAD) to
prevent attacks by the both single and multiple black hole nodes. IDAD assumes every activity of a user can be
monitored and anomaly activities of an intruder can be identified from normal activities. To find a black hole node
IDAD needs to be provided with a pre-collected set of anomaly activities, called audit data. Once audit data collected
and it is given to the IDAD system, which is able to compare every activity with audit data. If any activity of a node is
out of the activity listed in the audit data, the IDAD system isolates the particular node from the network. The reduction
of the number of routing packets in turn minimizes network overhead and facilitates a faster communication.
Herminder Singh et.al. [17] have discussed the AODV protocol suffering from black hole attack and proposed a
feedback solution which comparatively decreases the amount of packet loss in the network. The black holes by
examining the no of sent packets at that node which will always be equal to zero for most of the cases. After the
malicious black nodes have been detected, we can adopt a feedback method to avoid the reacceptance of incoming
packets at these black holes. The packets coming at the immediate previous nodes to black nodes are propagated back
to the sender and the sender follows an alternative safer route to the destination. However, it cannot detect black hole
nodes when they worked as a group.
6. COMPARISON OF VARIOUS SOLUTIONS TO BLACK HOLE ATTACK
The various solutions to black hole attacks proposed by several authors are analyzed and made a comparison based on
important parameters and depicted in Table 1.
Technique
proposed by
Table 1: Comparison of available solutions to black hole attacks on AODV
Techniques
Type
of
Merits
Demerits
black
hole
attack
Payal
N.
Raj1
and
Prashant B.
Swadas2,
2008 [8].
Y.Zhang
and
W.Lee,2000[10]
Satoshi
Kurosawa,
Hidehisa
Nakayama,
Nei
Kato,
Abbas
Jamalipour,
Yoshiaki Nemoto,
Nov. 2007 [13].
Ming-Yang Su;
Kun-Lin Chiang;
Wei-Cheng Liao,
Sept. 2010 [14].
Akanksha Jain,
Compares the
RREP sequence
numbers
with
threshold value
using
dynamic
learning method
introduces the
CREQ and CREP
to avoid black
hole
A
new
detection method
based
on
dynamically
updated training
data.
Single
and
multiple black
hole
An Anti-Black
hole Mechanism
(ABM) using IDS
Trust
Volume 2, Issue 5, May 2013
based
Routing
Protocol
Increases
PDR
with
Minimum
increase
in
Average end-toend delay
Low cost
Higher Routing
overhead and can’t
detect cooperative
black holes
AODV
Time delay and
false positives
AODV
Single black
hole
Detection rate
and
false
positive
rate
improve
Network delay
AODV
Multiple
black holes
High
detection rate
Time delay
AODV
Poor
AODV
Single black
hole
Single black
Minimum
Page 404
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 5, May 2013
ISSN 2319 - 4847
april 2012[15]
communication
using
AOMDV_IDS
hole
overhead
Alem,
Y.F.;
Zhao
Cheng
Xuan; May 2010
[16].
Intrusion
detection using
anomaly
detection (IDAD)
Single
and
multiple black
hole nodes
Minimum
network
overhead
Sen,J.;
Koilakonda,
S.;
Ukil, A.; 2011
[17].
Data Routing
Information(DRI)
table of Next hop
node
Co-operative
black holes
Higher
throughput
performance
of
network due to
Routing overhead
increases
Neighbour
nodes may give
false information
More
communication
overhead of route
request
AODV
AODV
7. CONCLUSION
In this paper an overview of MANET is been presented first. After it we define AODV protocol in MANET and the
various authors have given several proposals for detection and prevention of black hole attacks in MANET but every
proposal has its own disadvantages in their respected solutions and we made a comparison among the existed solutions.
We observe that the mechanisms detects black hole node, but no one is reliable procedure since most of the solutions
are having more time delay, much network overhead because of newly introduced packets and some mathematical
calculations. For future work, to find an effective solution to the black hole attack on AODV protocol.
REFERENCES
[1.] Perkins CE, Bhagwat P (1994) Highly Dynamic Destination-Sequenced Distance-Vector Routing (DSDV) for
Mobile Computers. Paper presented at the ACM SIGCOMM’94 Conference, London, United Kingdom, August 31
- September 2, 1994.
[2.] Jacquet P, Muhlethaler P, Clausen T, Laouiti A, Qayyum A, Viennot L (2001) Optimized Link State Routing
Protocol for Ad Hoc Networks. Paper presented at the IEEE International Multi Topic Conference, Lahore,
Pakistan, 28-30 December 2001.
[3.] Perkins CE, Royer EM (1999) Ad-hoc On-Demand Distance Vector Routing. Paper presented at the Second IEEE
Workshop on Mobile Computing Systems and Applications, New Orleans, Louisiana, 25-26 February 1999.
[4.] Johnson DB, Maltz DA (1996) Dynamic Source Routing in Ad Hoc Wireless Networks. In: Imielinski T, Korth H
(eds) Mobile Computing, vol 353. Kluwer Academic Publishers, pp 153–181.
[5.] Haas ZJ, Pearlman MR, Samar P (2002) The zone routing protocol (ZRP) for ad hoc networks. IETF Internet
Draft.
[6.] Park V, Corson S (1998) Temporally-Ordered Routing Algorithm (TORA) Version 1 Functional Specification.
Internet Draft, Internet Engineering Task Force MANET Working Group.
[7.] Tamilarasan-Santhamurthy; “A Comparative Study of Multi-Hop wireless Ad-Hoc Network Routing Protocols in
MANET”, IJCSI International Journal of Computer Science Issues, Vol. 8, Issue 5, No 3, September 2011, PP:
176-184.ISSN(online):1694-0814.
[8.] Noman Mohammed, Hadi Otrok, Lingyu Wang, Mourad Debbabi and Prabir Bhattacharya “Mechanism DesignBased Secure Leader Election Model for Intrusion Detection in MANET”, IEEE Transactions on Dependable and
Secure Computing, vol. 99, no. 1, 2008.
[9.] Raj PN, “DPRAODV: A Dynamic Learning System Against Blackhole Attack in AODV based MANET”,
International Journal of ComputerScience 2: 54-59, 2009.
[10.] Y.Zhang and W.Lee,”Intrusion detection in wireless ad-hoc networks”, 6th annual international Mobile
computing and networking conference proceedings, 2000.
[11.] Seungjoon Lee, Bohyung Han, Minho Shin; “Robust Routing in Wireless Ad Hoc Networks” 2002, international
Conference.
[12.] Preventing Black Hole Attack in Mobile Ad-hoc Networks Using Anomaly Detection by Yibeltal Fantahum Alem
& Zhao Hheng Xaun from Tainjin 300222, China 2010, IEEE.
[13.] Satoshi Kurosawa, Hidehisa Nakayama, Nei Kato, Abbas Jamalipour, and Yoshiaki Nemoto; “Detecting
Blackhole Attack on AODV-based Mobile Ad Hoc Networks by Dynamic Learning Method”, International Journal
of Network Security, Vol.5, No.3, PP.338–346, Nov. 2007, PP:338-346.
[14.] Ming-Yang Su; Kun-Lin Chiang; Wei-Cheng Liao, "Mitigation of Black-Hole Nodes in Mobile Ad Hoc
Networks," Parallel and Distributed Processing with Applications (ISPA), 2010 International Symposium on,
vol., no., pp.162-167, 6-9 Sept. 2010.
Volume 2, Issue 5, May 2013
Page 405
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 5, May 2013
ISSN 2319 - 4847
[15.] Akanksha Jain,”Trust Based Routing Mechanism Against Black Hole Attack using AOMODV-IDS System In
MANET Format” IJETAE, vol. 2, April 2012.
[16.] Alem, Y.F.; Zhao Cheng Xuan; , “Preventing black hole attack in mobile ad-hoc networks using Anomaly
Detection,” Future Computer and Communication (ICFCC), 2010 2nd International Conference on , vol.3, no.,
pp.V3-672-V3-676, 21-24 May 2010.
[17.] Herminder Singh, Shweta “An approach for detection and removal of Black hole In MANETS” International
Journal of Researh in IT& Management (IJRIM) Volume 1, Issue 2 (June, 2011).
[18.] Irshad Ullah Shoaib UR Rehman, “Analysis of Black Hole Attack on MANETs Using Different MANET Routing
Protocols”,June 2010.
AUTHOR
Sarita Badiwal received the B.E degree in Computer Science and Engineering from R.C.E.W, Jaipur in
2008 and pursuing M.Tech in Computer Science from R.C.E.W, Jaipur.
Volume 2, Issue 5, May 2013
Page 406
Download